Importance of Operational Technology systems in maintaining secure standard of living

The Operational Technology (OT) networks (such as industrial control and supervisory control and data acquisition systems (ICS/SCADA) that run today’s modern society are a collection of devices designed to work together as an integrated and homogenous system. If one of these systems fails, it can have a catastrophic domino effect. For example, electricity requires telecommunications to transfer information on wheeling power from the electrical grid. This same telecommunications is used to enable financial transactions for both electrical producers and consumers. Electric generators rely on coal, natural gas, oil, etc. to power the telecommunication and financial companies. Railroads and trucks provide transportation for the delivery of their products to produce energy. And on it goes.

The point is that all of the resources and services produced by the 16 Critical Infrastructure Key Resources (CIKRs) are intertwined in order to enable and sustain society’s standard of living.

The cyber manipulation of the OT systems and devices essential to a nation’s security, public health, and economic vitality (known collectively as Critical Infrastructure and Key Resources, or CIKR) and the importance of protecting these and similar CS/SCADA systems has been a key focus as far back as the 1990s. That may seem like a long time ago, but the measures put in place then to protect these systems became the security technologies used to protect IT systems today.

Securing CIKR is a big challenge for a number of reasons. First, these systems were originally designed to be stand-alone and air-gapped, so that no outside protection was needed. They are also workhorses that produce products continuously, so downtime even for maintenance or patching can be difficult. And because they can last 30+ years in their life cycle, the equipment or operating systems running them is often far out of date or even obsolete.

This is all changing. Some of the biggest changes to these OT systems are that they are no longer stand-alone systems. In many cases, they are now connected to corporate networks to provide business information and data. And their telecommunications are increasingly being connected to the Internet and/or telecommunications carriers in order to respond in real time to shifting system or consumer demands.

The CIKR industry has been slow to adopt newer technologies because their OT systems have been able to consistently produce an end product that is essential for our modern society for years using their current processes. Whether that product is electricity, pharmaceuticals, chemicals, food, etc., these OT systems have historically been able to work day in and day out without catastrophic failures. This does not mean that parts in the system don’t fail at times, but such systems are designed with enough resiliency to absorb such failures and keep producing their product. Which is why legacy systems from the late 1980’s are still in operation today that are essential to the production of even the newest products delivered by the 16 CIKRs.

Modern security specialists, especially in IT environments, often ask why OT systems aren’t better protected from cyberattack. It’s clear that many of these legacy systems were never designed for cyber protection, potentially putting critical services and even lives at risk. Of course, layers of cyber defense protection can be added to them today, but that comes with a cost, both in terms of deployment and engineering, as well as ongoing operations overhead. Another approach would be to bake protection into the hardware for continuous coverage. That would be the best long-term answer and is being investigated. But given the lifespan of much of the equipment in place, it may take decades for a natural transition to more secure systems to occur. And besides the risk to interrupting essential services, updating these systems comes at the same sort of expense as overlaying security technologies.

Cost is always a factor in making decisions for long-term investment in OT systems, due both to their longevity and their incorporation of legacy systems. One proposal for how to fund the evolution needed is to pass the costs through to the consumers of the services. This might not be a sustainable solution, however, because the consumers of the products produced by these OT systems and end devices have the long-term fixed costs of these resources figured into other expenses. The additional expense of new technologies, combined with their dramatically shorter lifecycles may quickly become cost prohibitive. Some of these costs also may not be able to be passed on to consumer due to laws, regulations, etc. Achieving consensus by vendors and OT system owners on the cost of protecting OT systems, and how to fund those changes, has been a struggle for decades.

Until recently, there was no real evidence that there was any need for the kind of baked-in solutions required to protect these systems against cyber threats. But with the advent of things like STUXNET, SHODAN, and the Ukrainian Electrical Distribution and Transmission cyber attacks, along with other incidents targeting OT systems, it has become crystal clear there is a need to protect these systems in order to maintain the viability of today’s digital economy. The immediate need is for security products to protect the CIKRs’ OT systems from end to end, while enabling secure external access to OT systems where required.

This is not news to the OT or ICS/SCADA communities, who have been living with this dilemma since the 1990s. The overall concern for all OT or ICS/SCADA systems is to protect them against all forms of OT cyber manipulation so that the CIKRs can continue to provide us with the goods and services our modern society depends upon.

Given the interconnected nation of the CIKRs, what is the best first step to take in building in protection? And what is the best strategy for managing the cost to upgrade all these CIKRs to be inherently protected, especially considering the expected size of that cost?

Given the interconnections between the various CIKRs, the first step of cybersecurity defense protection has to be to segment these networks into individual lines of control. Such segmentation will protect the different OT environments from each other, so that in the event that one is compromised the others can continue to operate. The next step is to encrypt messaging to prevent others from seeing communications between the human-machine interface (HMI), the Database, and the communication switches at the Remote Terminal Units (RTUs) or Programmable Logic Controllers (PLCs) then onto the end devices. Without access to these messages, an attacker is unable to script a malicious software (malware) message that effectively mimics a real message in order to achieve bad consequences.

There are additional layers of defense that need to be applied, and many of them can be added a little at a time, such as two factor wired and wireless authentication, Security Information and Event Management (SIEM) systems, patch management, etc. The bottom line for CIKR owners is that a product still has to be produced at the end of the process for sale to the markets, whether electricity, petrochemical products, natural gas, pharmaceuticals, food products, water, or waste water treatment, etc. So, the return on investment (ROI) for the cost of such cybersecurity defense protection upgrades has to be weighed against the costs of not producing the end products for sale to the markets should a catastrophic cyber event occur. Which in today’s digital world, seems to be more an issue of when and not if such an event will happen.

Related Articles

By Anton Cherepanov The 2016 attack on Ukraine’s power grid that deprived part of its capital, Kiev, of power for an hour was caused by a cyberattack. ESET researchers have since analyzed samples of malware, detected […]

Like this:

When it comes to cybercrime, it’s easy to imagine that the biggest threat to your company is external. However, more and more companies are realizing that trusted and trained employees can also pose an enormous […]

Like this:

By Eyal Benishti We recently wrote about the most prominent phishing attacks so far in 2017. Such attacks have led to record-breaking ransomware payments of more than $100 million; impersonations of CEOs at major Fortune 500 organizations […]

Like this:

Be the first to comment

advert:

About us:

For news, updates, views, analyses and reviews on tech and ICT developments in Kenya, Africa and the world.
For editorial and advertising partnerships, call +254-725-537823 / +254-735-537823 or send an email to aptantech@gmail.com or omondi.ouma@gmail.com.
We also provide Press Release writing and distribution services to local and regional news outlets. Don't hesitate to contact us for media coordination when you've an event.

Advert Dimensions:

For Advertising inquiries:

Above – click on the image for clarity – are the various advert placement positions and dimensions on the blog. For bookings and more info, get in touch through: +254-725-537823 / +254-735-537823 or send an email to: aptantech@gmail.com or omondi.ouma@gmail.com.